Categories

osCommerce: Identifying Malware

Websites are now the primary sales funnel for many businesses. Every day, billions of dollars of business is conducted by small to medium sized businesses via their web sites. Most e-commerce web sites use a piece of software called a shopping cart to allow users to pick and choose what they would like to buy and then pay via a number of payment methods.

One popular application software that web site owners use to manage online transactions is called osCommerce. Thousands of websites use this software. In the last three months we have witnessed a spate of intense attacks targeting shopping cart software like osCommerce. In this post we discuss the specifics of this attack, and how to identify the malware which is injected as a result of this intrusion.

Identifying the Malware
The malware targets osCommerce and other shopping carts by exploiting an application vulnerability to inject malware into the web site running the shopping cart – in turn, causing website visitors to become infected. This strain of malware has been extremely pervasive.

We have seen variants of the following malware on web sites running shopping cart software by osCommerce and OpenCart. The malware can be found in JavaScript, PHP, and HTML files on the infected web site.

What this Attack Does
The malware code attempts to display a malicious iframe which could lead the visitor to a fake Anti-Virus (AV) website. This opens the door to malware being installed on the website visitor’s personal computer.

Removing the Malware
In most shopping cart installations, malware will have been inserted in the config.php file on your website. It is usually located in the following place: www.yoursite.com/config.php.

The entire code present between the start and end signatures shown above must be removed.

Conclusion
Following removal of the malware, you must upgrade your installation of osCommerce, to osCommerce 2.3 or higher, and analyze your website for any application vulnerabilities. Securing the permission settings of your admin directory or renaming the directory to a value different from the default can mitigate automated attacks attempting to exploit osCommerce 2.2 versions.

If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.